Casino Enterprise Management

The Internal Revenue Service is looking forward to reviewing your risk assessment during its next visit to your casino. The federal anti-money laundering regulation known as the Bank Secrecy Act (BSA), or Title 31, requires that casinos have a comprehensive program to ensure regulatory compliance. The compliance program is not specifically outlined by FinCEN or the IRS, and therefore, it is not a one-size-fits-all program. Casinos are required to analyze products, services, training, internal controls, procedures, committees and audits to determine the risks associated with Title 31 and implement or revise existing programs to mitigate these risks. It is nearly impossible for a casino to create a comprehensive program without completing a risk assessment, which identifies categories for analysis including, but not limited to, products, services and geographic location. Upon identification, these categories must be analyzed to determine the risk for Title 31 non-compliance and addressed using mitigating controls that will reduce the chances of non-compliance.

A risk assessment is generally used as a guide that outlines compliance strengths and weaknesses. It provides a risk profile and identifies gaps in existing policies, procedures and internal controls. Upon risk assessment completion, the casino can take action by applying appropriate risk management processes, communicating the risks and taking action to improve the overall compliance program.

All casinos subject to anti-money laundering regulations are required to comply with this requirement. This includes large and small casinos, racinos, card clubs, and some subsidiary companies or departments owned or operated by casinos. Although the Title 31 regulation states that a casino must follow this regulation when the gross revenues exceed $1 million per year, there are similar regulatory requirements for casinos that earn less in revenue.

Any non-gaming department that interacts with gaming patrons must also know about this regulation. A review of all departments and positions should be considered during the risk assessment process. Consider the risk of a contracted security officer working in your gaming facility. Depending on the officer’s operational knowledge of the casino, he may release sensitive information to a criminal without knowing he did so, thus providing the criminal with the information needed to begin money laundering activities at your casino. In other words, a risk assessment is a systematic process for identifying and mitigating risk through internal controls, policies, procedures and training. The risk assessment process protects casinos from internal and external criminals while reducing the potential expense of a fine.

If you do not complete a risk assessment, it is possible that nothing may happen and the casino does not become a criminal target. Casinos are often the targets of racketeering, embezzlement, money laundering and tax evasion schemes. Casinos that do not have a comprehensive risk assessment and compliance program will risk a penalty of up to $25,000 per violation per day in a best-case scenario. In extreme cases, casinos may have to close due to their continued inability to ensure compliance with this regulatory requirement. Most mission statements include visions of profitability, loyalty, protecting shareholders or tribal future earnings. It may be difficult to accomplish the mission statement vision if a casino has not identified these risks.

Casinos have good people, and this would never intentionally happen at most casinos. However, employees leave, get promoted, are terminated and sometimes get desperate during tough economic times. In many cases, it is not a terrorist or criminal that walks into your casino and launders money to fund their nefarious activities. Instead, it is a typical person, patron or employee that is desperate for money, recognition or societal change. As a result, we should ask ourselves: Could this happen to us? Your risk assessment will identify key factors affected by the economy, such as loss of critical positions, training deficiencies, program issues and lack of support or suspicious activity by key personnel. If we create an environment that shines a light on inadequacies, these types of activities are less likely to occur in our casinos.

What might the IRS look for in your risk assessment?

• Whether the casino developed a risk assessment.
• Management’s consideration of all aspects of products, services, customers, entities, transactions and geographic locations.
• Whether management’s detailed analysis (Step 2) is within these specific risk categories and (Step 1) was adequate.
• If a risk assessment is not complete, the IRS will do their own assessment.
• Whether the risk assessment is accurate in determining high risk vs. low risk.
• It may be determined that the casino has a high-risk profile, but during the audit, the examiner may determine that the compliance program adequately mitigates these risks. Therefore, it would be low risk.
• It may be determined that the casino has a low or moderate risk profile, however, during the audit, the examiner may determine that the casino’s compliance program does not adequately mitigate these risks.

Now that we have a better understanding of the risk assessment process, we need to determine how to maintain a findings-free environment. The first step is a consultation with your internal auditor to learn about the current audit process he or she uses to identify risk with other required casino regulations. Your internal auditor may have a solid process, documents and extensive knowledge to assist in the Title 31 risk assessment process. The internal auditor may not be a subject matter expert on the regulation; instead, the Title 31 expert should work jointly with the internal auditor and learn about the assessment process to ensure a successful assessment.

Memorialize all categories and analysis in a document that is easily accessible by the casino compliance committee. Share the details of the risk assessment with personnel that are subject matter experts in their departments to ensure that the analysis is comprehensive and includes workable solutions to mitigating risk. Use the risk assessment as a tool to evaluate the effectiveness of your Title 31 program, and revisit the assessment each time a category changes. For example, if you change check-cashing providers or bring new slot games to the casino floor, consider updating these categories on the risk assessment and review for changes in risk. See the examples below for a better understanding of the analysis required for a risk assessment.

Example 1
The data collected in the first step of the risk assessment process reflects that your casino receives 100 wire fund transfers a month. Further analysis may show that approximately 90 percent of the funds transfers are recurring, well-documented transactions for well-established patrons. On the other hand, the analysis may show that 90 percent of these transfers are non-recurring or are for non-customers. What is the risk in each situation? (While the numbers are the same for these two examples, note that the overall risks are different.)

Example 2
You determine that your casino has not reported or filed CTRs for patrons with cash transactions that exceeded $10,000. Upon further analysis, your casino determines that the patron is performing transactions less than $3,000. Your casino’s procedure requires communication between cashiers and departments at $3,000. Is there a risk to the MTL tracking process? How might you rate your risk? How do you mitigate your risk?

Example 3
You determine that your casino’s customer base is located in a HIDTA area and your casino provides safe deposit boxes to these customers. Upon further analysis, your casino determines that they are unable to trace 50 percent of the safe deposit boxes back to their original owners. In addition, the records for accessing the boxes are not consistently completed and some pages are missing. Is there a risk to offering this type of service? How might you rate your risk? How do you mitigate your risk?

There are other options if you do not have an internal auditor, Title 31 expert or a standard risk assessment process in place. Consider consulting your colleagues in the industry or working with a qualified consultant. When working with a consultant, check to ensure that they are experienced in assessing risk and an expert in your industry. Ask the consultant about their relationship with the IRS and the results of any recent work reviewed by the IRS. Request and call the consultant’s references to obtain details about the risk assessment process and effectiveness. This is a good opportunity to network with references regarding risk assessment and the IRS audit process. Remember, the ultimate responsibility for compliance is the casino and its owners, not the consultant. The IRS recommends fines up to $25,000 per day, so do your homework to ensure that you are working with a well-known firm or reputable consultant.

Risk assessment is a major component of a casino compliance program and should be the first step in adopting, reviewing or revising a comprehensive anti-money laundering program. Save time and expense by assessing your risk before the IRS does it for you. The IRS rate is $25,000 per fine per day, with the potential of closing the casino, depending on the severity of non-compliance. Consider the gross revenue that must be earned by your casino to pay these fines. Casinos save money when they create a findings-free environment. This is a win-win situation for the casino, its employees, its officers, its shareholders and its owners. The next time you hear about a risk assessment or the IRS calls for a visit, be ready.

Mindy Letourneau is the Managing Director of Casino Essentials LLC. She has more than 15 years experience of BSA regulatory compliance with extensive experience managing gaming operations, with key emphasis on regulatory compliance, performance management and operational efficiencies. She can be reached at (877) 811-3534 x102 or Mindy[at]CasinoEssentials.com.